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Abstract 

A new approach on cryptanalysis is proposed where the goal is to explore the fundamental limits of a specific class of attacks 
against a particular cryptosystem. As a first step, the approach is applied on ABSG, which is an LFSR-based stream cipher where 
irregular decimation techniques are utilized. Consequently, under some mild assumptions, which are common in cryptanalysis, the 
tight lower bounds on the algorithmic complexity of successful Query-Based Key-Recovery attacks are derived for two different 
setups of practical interest. The proofs rely on the concept of "typicality" of information theory. 

I. Introduction 

In this paper, we introduce a (to the best of our knowledge) novel approach to cryptanalysis. In our approach, the focus is 
jointly on a particular cryptosystem and a specific (sufficiently broad) class of attacks of interest at the same time. Then, under 
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^ i some mild conditions, the goal is to derive the achievable fundamental performance limit for the attacks within the considered 
class of interest against the cryptosystem at hand. The aforementioned limit should be "achievable", in the sense that it is 
[ necessary to provide an explicit attack construction of which performance coincides with the derived limit. Furthermore, the 



aforementioned limit should also necessarily be "fundamental", in the sense that within the considered specific class, there 
does not exist any attack of which performance is superior to the derived limit. 
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qq ■ Our proposed approach contrasts with the trend in conventional cryptanalysis, which can be outlined in two categories. In the 



first category, the focus is on the construction of a generic attack, which should be applicable (subject to slight modifications) 



. to most cryptosystems; common examples include time-memory tradeoff attacks [1], [2], correlation attacks [3], [4], algebraic 
5t i attacks [5], [6] and alike. The second category is conceptually on the opposite side of the spectrum. Here, given a particular 
cryptosystem, the focus is on the construction of a potentially-specialized attack, which is "tailored" specifically against the 
system at hand; hence, the resulting attack is not applicable to a broader class of cryptosystems in general. Although the 
approaches pursued in the aforementioned two attack categories are radically different, it is interesting to note that, for both of 
them the underlying fundamental goal is the same, which can be summarized as providing a "design advice" to the cryptosystem 
designer. In practice, at first, the cryptosystem designer is expected to test his/her proposed system against generic attacks 
(first category); thus, such attacks serve as a benchmark for the community of cryptosystem designers. Next, the cryptanalyst 
tests a proposed cryptosystem via constructing a cryptosystem-specific attack algorithm (second category). Both categories 
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have been shown to be extremely valuable in practice since the first one provides a "unified approach" to cryptanalysis via 
providing some generic attack algorithms and the second one specifically tests the security of the considered cryptosystem and 
consequently yields its potential weaknesses. On the other hand, both categories of the conventional approach in cryptanalysis 
lack to provide fundamental performance bounds, i.e., the question of "what is the best that can be done?" goes unanswered. 
The main reason is that, for the first category, finding out a fundamental performance bound necessarily requires considering 
all possible cryptosystems, which is infeasible in practice; within the second category, providing a fundamental performance 
bound necessarily requires "describing" all possible cryptanalytic propositions (in a computational sense) and quantifying the 
resulting performances, which is again infeasible in practice. 

In our proposed approach, we aim to derive "the best possible performance bound" [j in a reasonably-confined setup. 
Intuitively, we "merge" the first and the second categories of the conventional cryptanalytic approach; we jointly focus on 
both a particular cryptosystem and a specific class of attacks, and subsequently aim to analytically quantify the fundamental, 
achievable performance bounds, i.e., specifically for a given cryptosystem, our goal is to find the achievable lower-bound on 
the complexity of a proposed class of attacks, under a set of mild assumptions. The main impact of this approach is that, it 
aims to provide an advice for the cryptanalyst, instead of the cryptosystem designer, in contrast with the conventional approach. 
If this resulting advice is "positive" (i.e., the fundamental achievable performance bound is of polynomial complexity), then 
the weakness of the analyzed cryptosystem is guaranteed (which can also be achieved via pursuing the second category of the 
conventional cryptanalytic approach). However, more interestingly, if the resulting advice is "negative" (i.e., the fundamental 
achievable performance bound is of exponential complexity), then the considered class of attacks is guaranteed to be useless, 
which, in turn, directs a cryptanalyst to consider different classes of attacks, instead of experimenting with various attacks 
from the considered class via a (possibly educated) trial-and-error approach. Thus, the negative advice case (for which this 
paper serves an exemplary purpose) constitutes the fundamental value of our approach. We believe that our efforts can be 
viewed as a contribution towards the goal of enhancing cryptanalytic approaches via incorporating a structural and procedural 
methodology. 

In order to illustrate our approach, in this paper we consider a class of Query-Based Key-Recovery attacks (of which precise 
definition is given in Sec. IIII-Bb targeted towards ABSG [7], which is an LFSR(linear feedback shift register)-based stream 
cipher that uses irregular decimation techniques. Recall that, within the class of stream ciphers, the usage of LFSR is an 
attractive choice due to the implementation efficiency and favorable statistical properties of the LFSR output; however, security 
of LFSR-based stream ciphers is contingent upon applying additional non-linearities per the linear nature of LFSR [8]. An 
approach, which aims to achieve this task, is to use irregular decimation techniques to the LFSR output [7], [9], [10], [11]. 

'Note that, this approach is analogous to providing both achievability and converse proofs in classical information-theory problems. This connection will 
further be clarified throughout the paper. 
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The motivation lying behind the development of this approach is to render most conventional attacks useless (such as algebraic 
attacks). Shrinking [10] and self-shrinking generators (SSG) [11] are two important examples of this approach. In particular, in 
the literature SSG is well-known to be a very efficient algorithm and it has been shown to possess favorable security properties 
[12], [13], [14]. The bit-search generator (BSG) [9] and its variant ABSG [7] are newer algorithms, which also use irregular 
decimation techniques. In [15], it has been shown that the efficiency (output rate) of ABSG is superior to that of SSG and the 
security level of ABSG is at least the same level provided by SSG under a broad class of attacks. A detailed analysis of the 
statistical properties of ABSG and BSG algorithms has recently been presented in [16]. Since ABSG has been shown to be a 
state-of-the-art cryptosystem, in our developments we focus on it under a reasonable class of attacks and subsequently provide 
"negative advices" for the cryptanalyst in various setups of interest. Next, we summarize our main results. 

Main Results: Our contributions, which have been derived under a set of mild assumptions (specified in Sec. IIII-Al i. are as 
follows: 

« We show that breaking ABSG algorithm is equivalent to "guessing" a sequence of random variables, which are i.i.d. 
(independent identically distributed) with geometric distribution of parameter 1/2 using complexity theoretic notions 
(Theorem [3711 . 

• In order to solve the problem mentioned in the previous item, we formulate a sufficiently broad class of attacks, termed 
as "Query-Based Key-Recovery attacks", which are quite generic by construction, and hence applicable for cryptanalysis 
for a wide range of cryptosystems (Definition 13.31 ). 

• Within the class of attacks mentioned in the previous item, first we concentrate on a practically-meaningful subset of them 
(termed "Exhaustive-Search Type Query-Based Key-Recovery attacks") (Sec. HVb ; we derive a fundamental lower bound 
on the complexity of any successful attack in this subset (Theorem 14.21 ); this lower bound is proven to be achievable to 
the first order in the exponent (Theorem 14. II ). 

• We consider the set of all Query-Based Key-Recovery attacks (Sec. [V]); we derive a fundamental lower bound on the 
complexity of any successful attack within this set (Theorem 15. 21 , followed by stating the proof of the achievability result 
(to the first order in the exponent) using the "most probable choice" attack given in [7] (Theorem [5T}. 

Organization of the Paper: In Section |IlJ we present the notation used in the paper and recall the definition of ABSG. 
Section [III] provides the assumptions we have employed throughout the paper, the problem formulation and the definition of 
"Query-Based Key-Recovery" (QuBaR) attacks. In Section HV1 we derive a tight (to the first order in the exponent) lower bound 
on the complexity of exhaustive-search type QuBaR attacks. In Section [V] we derive a tight lower bound on the complexity 
of any QuBaR attack. We conclude with discussions given in Section [Vll 
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II. Notation and Background 

A. Notation 

Boldface letters denote vectors; regular letters with subscripts denote individual elements of vectors. Furthermore, capital 
letters represent random variables and lowercase letters denote individual realizations of the corresponding random variable. 
The sequence of {a±, da, . . . , a at} is compactly represented by a^. Given x 6 {0, 1}, x denotes the binary complement of x. 
The abbreviations "i.i.d.", "p.m.f." and "w.l.o.g." are shorthands for the terms "independent identically distributed", "probability 
mass function" and "without loss of generality", respectively. Throughout the paper, all logarithms are base-2 unless otherwise 
specified. Given a discrete random variable X with the corresponding p.m.f. p (•), defined on the alphabet X, its entropy (in 
bits) is H{X) = — Ylxex p(x) logp(x). In the sequel, we say that "a n and b n are equal to the first order in the exponent" 
provided that liirin^oo i log f 2 - = 0, which is denoted by o„ = b n in our notation. 

B. Background 

Throughout this paper, we use the notation that was introduced in [16]. 

Definition 2.1: Given an infinite length binary sequence x = {a^K^Li which is an input to the ABSG algorithm, we define 
• y = -4(x), where the sequence y represents the internal state of the ABSG algorithm and yi € {0,0, 1}, 1 < i < oo. 
The action of algorithm A is defined via the recursive mapping M: 

yi=M(yi-i,Xi), 1 < i < oo, 

with the initial condition yo = 0. The mapping M. is defined in Table U . 

TABLE I 

Transition Table of algorithm A 



yi-i\x.i 





1 








1 











1 


1 






• z = B (y), where the sequence z represents the output of the ABSG algorithm, such that the action of the algorithm B 
is given as follows: 

_ f Vi-i, if Vi = and y^ 2 = 0, 
Z ' J \ Vi-i, if Vi = and y^ 2 j= 0, 

where j < i and i,j e Z + . 

From Definition 12. II we clearly deduce that the ABSG algorithm produces an output bit (zj denoting the j-th output bit) if 
and only if the value of the corresponding internal state variable (y, denoting the value of the internal state variable at time 
i) is 0. The fact that y - L ^ for all i is the reason of the mismatch between the input sequence indices (which are the same 
as the indices of the internal state variables) and the output sequence indices. 
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III. Problem Setup and Formulation 

A. Assumptions and Preliminaries 

Throughout this paper, we consider the type of attacks, in which retrieving L (where L is the degree of the feedback 
polynomial of the generating LFSR) linear equations in terms of xf 1 is aimed. This type of attacks correspond to key recovery 
attacks to ABSG (assuming that the feedback polynomial of LFSR is known to the attacker, which is a common assumption 
in cryptanalysis). In particular, within the class of key recovery attacks, we concentrate on query-based key recovery attacks 
(abbreviated as "QuBaR attacks" in the rest of the paper); QuBaR attacks shall be defined formally in Sec. IIII-Bl The following 
assumptions are made in this attack model: 

Al: The length- M input sequence is assumed to be a realization of an i.i.d. Bernoulli process with parameter 1/2. 
A2: The length- N output sequence zf is assumed to be given to the attacker, where N, M £ Z + (note that, this implies we 

necessarily have M > N > 1 due to Definiton 12. U . 
A3: Explicit knowledge of the feedback polynomial of the generating LFSR is not used. 
A4: The degree of the feedback polynomial of the generating LFSR, i.e., L, is sufficiently large. 

Note that assumption A3 will be further clarified after we describe QuBaR attack model precisely. Further, from now on 
we denote the input sequence as Xf 7 and the corresponding internal state sequence as Yj" due to the stochastic nature of the 
input and hence the internal state sequences. Next, we continue with the following definitions. 

Definition 3.1: The symbol Hi denotes the index of the i-th in Y* f , for < i < N. 

Note that, since we have Y = with probability 1 by convention, we also use H — with probability 1 as the initial 
condition for {Hi}. 

Definition 3.2: We define Q t = H,- H t _ 1 - 2, for 1 < i < N. 

Remark 3.1: For each Qi (regardless of its particular realization), the ABSG algorithm generates an output bit z%. Thus, the 
number of output bits in the ABSG algorithm is precisely equal to the number of corresponding {Qi}. 

Next, we state the following result regarding the distribution of {Qi}, which will be heavily used throughout the rest of the 
paper. 

Lemma 3.1: Under assumptions Al and A2, the random variables {Qi} are i.i.d. with geometric p.m.f. of parameter 1/2: 

p(q t ) = Pr [Qi - g 4 |zf ] = (l/2f +1 , for q t e N, 1 < i < N. (1) 



Proof: See Appendix U 
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B. Problem Formulation 

In this section, we provide an analytical formulation of the problem considered in this paper. As the first step, we show that, 
under assumptions Al, A2, A3, and A4, all key recovery attacks to ABSG are equivalent to recovering the exact realizations 
of Q^, stated in Theorem 13. ill : 

Theorem 3.1: Under the assumptions Al, A2, A3 and A4, the following three computational problems are equivalent in the 
sense of probabilistic polynomial time reducibility [17]: 

1) Retrieving any L independent linear equations in terms of X* f . 

2) Retrieving any L consecutive bits from X* f . 

3) Correctly guessing Q^ 2 " 1 for any positive integers i and 9 such that 

E (?i + 2)>£, (2) 

is satisfied. 

Proof: See Appendix HI1 ■ 
Next, we introduce the model for the query type attacks, namely QuBaR attacks, which are considered throughout the paper. 
Qualitatively, a QuBaR attack consists of repeating the following procedure: For a cryptosystem that has a secret, generate a 
"guess", which aims to guess the secret itself, and subsequently "checks" whether the guess is equal to the secret or not; if the 
guess is equal to the secret, then terminate the procedure, else continue with another guess. The maximum number of guesses 
proposed in this procedure are limited by the complexity of the QuBaR attack, which is provided as an input parameter to the 
attack algorithm. Note that, if the task at hand is to guess i.i.d. random variables (which is the case for the third problem of 
Theorem 13. U . the QuBaR attack model is intuitively obviously reasonable. Furthermore, recall that most of the cryptanalysis 
against symmetric key cryptography may be modeled in this way (e.g., time-memory attacks, correlation attacks, algebraic 
attacks and alike). Next, we formally present the general form of QuBaR attack algorithms. 

Definition 3.3: Assuming the existence of a "check algorithm" T (G) for a "guess" G (the output of T (G) is 1 if and only 
if the guess G is equal to the secret), a QuBaR attack algorithm, of complexity C, executes the following steps: 

For k = 1 to C 

1. Generate a guess Gk- 

2. Compute T(G k ). 

3. If T(Gk) = 1, then terminate and output the secret given by Gh- 
ent! 

Next, we introduce the particular "guess" structure (together with the accompanying relevant definitions) which aims to find 
Qi + 1 so as to so l ve the third computational problem of Theorem 13. II 

2 For the random variable Qi, its realization is denoted by qi. 



Definition 3.4: An ABSG-guess is a triplet defined as G = {i, 9, qf +l 1 }, such that 29 + (3 > L, where (3 = Y^j=a Qi+j> 
i > 1 and i + 9 - 1 < N. 

The Bernoulli random variable, T (G k ), indicates the success probability of guess Gk and is heavily used throughout the 
rest of the paper, where G k = f i k , 9 k , q^^ 1 ) is the ABSG- guess of a QuBaR attack (against ABSG) at step k. Note 



that, at each step k, the "guessed" values q^ +lfc 1 themselves depend on k, which is not explicitly stated (unless otherwise 
specified) for the sake of notational convenience; this should be self-understood from the context. 

Remark 3.2: Note that, the probability of having a successful QuBaR attack after precisely K steps is equal to Pr [T (Gi ) = 0, 
T (G 2 ) = 0, . . . T (G K -i) = 0, T (G K ) = 1] which is not equal to Pr (T (G K ) = 1) (the latter being equal to the marginal 
successful guess probability at step K). Moreover, neither of these expressions is the success probability of any QuBaR attack 
with a specified complexity, which will formally be defined in (0). Observe that our formulation allows the usage of potentially 
correlated guesses {G k } which aims to make the approach as generic as possible. 

Corollary 3.1: Per Lemma [3T1 and Definition 13.41 we have 

Pr[T(G fc ) = l]=Pr[Q^- 1 =q^- 1 |zf] = II Uj = Uj > < 3 > 

j=ik 

where (3 k = Ej^fta+i- 

The following corollary, which is a direct consequence of Theorem I3.ll is one of the key results of the paper. 
Corollary 3.2: All QuBaR-type attacks against ABSG are probabilistic polynomial time reducible to the QuBaR algorithm 
(defined in Definition 13. 3b which uses ABSG-guesses defined in Definition 13 .4! and aims to find Q^ +1_1 satisfying (O for any 

i,6 e Z+. 

Definition 3.5: From now on, we call an arbitrary "ABSG-Guess", G, simply as "guess". Further, for the sake of notational 
convenience, we use 

a = 

for any attack algorithm 21 mentioned in Corollary 13.21 where C (21) denotes the (algorithmic) complexity of 21 (i.e., number 
of guesses applied within 21). Accordingly, the success probability of any 21 is given by 



Pr succ (21) = Pr vjg } T (G k ) = 1 = 1 - Pr A^T (G fc ) = 



v C(8l), 



(4) 



Hence, as far as QuBaR attacks against ABSG are concerned, w.l.o.g., in this paper we focus on the ones specified in 
Corollary 13.21 which aim to solve the third computational problem of Theorem 13.11 In particular, in the rest of the paper, we 
explore the fundamental limits of the aforementioned QuBaR attacks (denoted by 21) under various setups of interest. 



Remark 3.3: 

(i) Measure of QuBaR Complexity in Terms of L: At first glance, it may look reasonable to evaluate the complexity of a 
QuBaR attack in terms of the length of its input, which is N since the input is . Note that, this is a common practice 
in complexity theory. However, when we confine the setup as the application of a QuBaR attack to the ABSG algorithm 
(prior to which there exists an LFSR whose length-L initial state is unknown), then it would be more reasonable to 
evaluate the complexity of a QuBaR attack in terms of L (since we eventually aim to find L consecutive bits of Xf*; 
see Theorem [XT). This is precisely the approach we pursue in this paper, i.e., the analysis of the resulting QuBaR attack 
complexity is given as a function of L. 

(ii) Time Complexity of QuBaR: First, note that the time complexity of a QuBaR attack (denoted by 21) is given by the 
product of C (21), the complexity of generating a guess and the complexity of checking a guess. Hence, the quantity C (21) 
forms a lower bound on the time complexity of the QuBaR attack, 21. Furthermore, complexities of both generating a 
guess and checking a guess may, in practice, be considered to be of poly (L) (see item (v) of this remark). Moreover, we 
will soon show that at optimality C (21) is of exp (L). Hence, at optimality, the lower bound of C (21) is, in practice, tight 
to the first order in the exponent. Therefore, throughout this paper, we "treat" the quantity of C (21) as the time complexity 
of a QuBaR attack 21 and carry out the analysis accordingly. 

(iii) Data Complexity of QuBaR: First, note that, for a QuBaR attack 21, consisting of guesses {Gk}, the data complexity 
of the fc-th guess Gk = (ik, Ok, q^ :+ifc ~ 1 ) lS > by definition, 9k- We will soon show that, at "general case" optimality 
we have 6k = O (L) for each k. Hence, the data complexity of an optimal QuBaR attack 21 is at most C (21) • O (L). 
Furthermore, we will show that at optimality C (21) is of exp(L). Hence, we conclude that, at optimality C (21) is a tight 



(to the first order in the exponent) upper bound on the data complexity! 

(iv) Algorithmic Complexity of QuBaR: In parts (ii) and (iii) above, we stress that for an optimal QuBaR attack algorithm 
21 against ABSG, C (21) forms a tight lower (resp. upper) bound on the time (resp. data) complexity of 21, to the first 
order in the exponent]. Following the general convention in cryptanalysis, we use the term "algorithmic complexity" as 
the maximum of time complexity and data complexity. Thus, we conclude that, at optimality the algorithmic complexity 
is equal to the time complexity, Furthermore, at optimality, the time complexity, the data complexity and C (21) are all 
equal to each other to the first order in the exponent. Our subsequent developments are based on analytical quantification 
of C (21). Moreover, due to the aforementioned reasons, our results on C (21) apply (to the first order in the exponent) to 
the time complexity, the data complexity and the algorithmic complexity, as well. 

(v) Practical Implementation Approaches to QuBaR Algorithms: As far as practical attacks are concerned, existence of a 

3 This result is valid for the general case QuBaR attacks, analyzed in Sec. [V] For a restricted class of QuBaR attacks, namely "Exhaustive-Search Type" 
QuBaR attacks (analyzed in Sec. |IVt , we show that, at optimality C (21) is a loose upper bound on the data complexity. 
Once again, the argument in this remark is valid for the general case QuBaR attacks of Sec. [V] 
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polynomial-time guess generation algorithm is obvious. Furthermore, a polynomial-time check algorithm, which corre- 
sponds to the procedure of initiating a LFSR (whose feedback polynomial is assumed to be known) with the corresponding 
"guessed and retrieved" L consecutive bits of Xf 7 , generating sufficiently many output bits and comparing them with the 
original output bits, constitutes a practical approach, 
(vi) Relationship Of QuBaR Attacks With State-Of-The-Art Attack Algorithms: We see that QuBaR attacks are analogous to 
"first type of attacks" described in [15], which "aim to exploit possible weaknesses of compression component introduced 
by ABSG". However, note that, QuBaR attacks do not use explicit knowledge of the feedback polynomial of the generating 
LFSR, (recall the structure of algorithm T) which is a direct consequence of the assumption A3. 

IV. Optimum Exhaustive-Search Type QuBaR Attacks Against ABSG 

In this section, we deal with "exhaustive-search" type QuBaR attacks which are formally defined in Definition 14.11 Qual- 
itatively, given the output sequence , an exhaustive-search type QuBaR attack aims to correctly identify 0-many {Qi} 
(equivalently at least L consecutive bits of Xf f per Theorem 13.11 ) beginning from an arbitrarily-chosen, fixed index, subject 
to constraint (O |f| Since the attacker is confined to initiate the guesses beginning from a fixed index for exhaustive-search 
attacks, in practice this can be thought to be equivalent to a scenario where the attacker uses only a single portion of the 
observed output sequence zf . 

First theorem of this section, namely Theorem 14.11 proves the existence of an exhaustive-search type QuBaR attack with 
success probability of 1 — e (for any e > 0) with algorithmic complexity 2 2i//3 (in particular, with time complexity 2 2i / 3 
and data complexity L /3) under the assumptions mentioned in Section IIII-AI The second theorem of this section, namely 
Theorem 14.21 proves that the algorithmic complexity of the best (in the sense of C) exhaustive-search type QuBaR algorithm 
under the assumptions Al, A2, A3, A4 is lower-bounded by 2 2L / 3 (to the first order in the exponent). Hence, as a result 
of these two theorems, we show that the overall algorithmic complexity of the best exhaustive-search attack against ABSG 
has complexity 2 2i / 3 to the first order in the exponent (argued in Corollary 14. U . Note that, in [15] Gouget et. al. mention 
the existence of an exhaustive-search attack (under i.i.d. Bernoulli 1/2 input assumption) of complexity O (2 2L / 3 ) without 
providing the details of the attack. Our main novelty in this section is that, we provide a rigorous proof about the existence 
of such an attack (Theorem 14.11 which is analogous to the "achievability"-type proofs in traditional lossless source coding) 
and further show that this is the best (to the first order in the exponent) in the sense of algorithmic complexity under some 
certain assumptions, specifically within the class of exhaustive-search QuBaR attacks (Theorem 14.21 which is analogous to the 
"converse"-type proofs in traditional lossless source coding). As a result, the developments in this section can be considered to 
be analogous to those of source coding by Shannon [18]; see Remark l4~3l for a further discussion on this subject. Theorem 14.31 

5 In contrast with exhaustive-search attacks, we also consider a generalized version, where we focus on identifying 0-many {Qi}, possibly beginning from 
arbitrarily-chosen, multiple indices, which constitutes the topic of Sec. |yj 
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concludes the section, which characterizes some necessary conditions of the optimal exhaustive-search type QuBaR attacks 
against ABSG. 

We begin our developments with the formal definition of exhaustive-search type QuBaR attacks. 
Definition 4.1: The class of exhaustive-search type QuBaR attacks against ABSG are defined as 

S E = {K E = {G k } C k [ X ] :Vfc, ifc = l}, (5) 

where each fc-th guess subject to (O (see Definition 13.41 ). 

Remark 4.1 : Exhaustive-search type attacks constitute an important class of attacks in cryptanalysis. They essentially 
determine the "effective size" of the key space of any cipher. In case of ABSG, as we mentioned at the beginning of this 
section, since the exhaustive-search type QuBaR attack uses a single portion of the output sequence, they form a basic choice 
for practical cryptanalysis via QuBaR attacks in situations where a limited amount (poly (L)) of output data are available to 
the attacker. 

Thus, at each fc-th step, via guess Gk an exhaustive-search type QuBaR attack aims to correctly identify #fc-many {Qi} 
subject to (O beginning from a fixed index i k , equivalently at least L consecutive bits of Xj 7 beginning from the index i' k 
(in general i' k ^ i k due to the "decimation" nature of ABSG). As we specified in Definition 14. II in our developments w.l.o.g. 
we use ik = 1 (which in turn implies having i' k = 1 as well). 

Theorem 4.1: (Achievability - Exhaustive-Search) Under the assumptions Al, A2, A3, A4, mentioned in Section IIII-AI 
there exists an exhaustive-search type QuBaR attack algorithm %L E ch opt against ABSG with C (%i E ch op ^j = 2 2L / 3 such that 
PWc (2tf cMpt ) > 1 - e, for any e > 0. Further, C ave (% E eh<opt ) = \ (2 2L/3 + l) where C ave (% E ch>opt ) is the expected 
complexity of %l E ch opt over the probability distribution induced by q. 

Proof: See Appendix Hill ■ 

Remark 4.2: An inspection of the proof of Theorem [4J] reveals that (as promised in Remark [33] ) the overall data complexity 
of the proposed attack algorithm 2l^ c/l opt is L/3 which certainly implies that each guess is of data complexity O(L). 
Furthermore, the overall time complexity of %l E ch opt is O (2 2i / 3 ) assuming that the contribution of the generation of each 
guess is poly (L) (which is reasonable in practice). Note that, the time and data complexity of the proposed attack % E ch opt 
used in the proof of Theorem 14. 1 1 coincides with the one mentioned in [15]. 

Next, we prove the converse counterpart of Theorem 14.11 namely derive a lower bound on the algorithmic complexity of 
any exhaustive-search type QuBaR attack with an inequality constraint on the success probability. 

Theorem 4.2: (Converse - Exhaustive-Search) Under the assumptions Al, A2, A3, A4, and for any % E G S E with 
Pr succ (21 s ) > i, we necessarily have C (% E ) > C E m = 2 2L / 3 (| - ■§). 

Proof: See Appendix HVl ■ 
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Corollary 4.1: After some straightforward algebra, it can be shown that 

C (QL E ) —C (QL E ) ~C E 

° y^ach^opt) — ^ave \-<* a ch,opt) ~ ±z.min 

in L. Thus, Theorems 14. 1 1 and 14. 21 show that, under the assumptions mentioned in Section UlI-AI the tight lower bound (to the 
first order in the exponent) on the algorithmic complexity of any exhaustive-search type QuBaR attack against ABSG is 2 2L / 3 . 



Following remark provides the promised discussion at the beginning of the section, which interprets the relationship between 
the result proved in this section (namely, Theorems 14. 1 1 and 14.21 ) and the traditional lossless source coding of information theory. 

Remark 4.3: Observe that for the exhaustive-search setup, the problem is "somewhat dual" of the lossless source coding 
problem. Intuitively, the concept of cryptographic compression (which is also termed as "decimation" in this paper) aims to 
produce a sequence of random variables, such that the sequence is as long as possible with the highest entropy possible so as to 
render cryptographic attacks useless as much as possible (which amounts to making the decimation operation "non-invertible" 
in practice). On the other hand, in lossless source coding, the goal is to produce an output sequence which is as short as 
possible while maintaining "exact invertibility" (which amounts to "lossless" decoding). Hence, it is not surprising that, from 
the cryptanalyst's point of view, usage of concepts from lossless source coding may be valuable. To be more precise, the 
cryptanalyst aims to identify a set of highly-probable sequences (each of which is a collection of i.i.d. random variables from 
a known distribution), of which cardinality is as small as possible, thereby maximizing the chances of a successful guess with 
the least number of trials. As a result, the usage of the concept of typicality fits naturally within this framework. In particular, 
typicality is the essence of the proof of the converse theorem (Theorem 14.2b . which states a fundamental lower bound on the 
complexity of all possible exhaustive-search type QuBaR attacks. The outcome of "converse" states a negative result (which 
is unknown for the case of stream ciphers to the best of our knowledge) within a reasonable attack class in cryptanalysis by 
construction. This observation contributes to a significant portion of our long-term goal, which includes construction of a unified 
approach to cryptanalysis of stream ciphers. In particular, our future research includes focusing on specific cryptosystems and 
quantifying fundamental bounds on the performance of attacks (within a pre-specified reasonable class) against these systems. 



Following theorem characterizes some important necessary conditions for an optimal exhaustive-search type QuBaR attack 
against ABSG, subject to an equality constraint on the success probability. Thus, these results are important in practice since 
they provide some guidelines in construction of optimal or near-optimal exhaustive-search type QuBaR attacks. 

Theorem 4.3: Given an optimal (in the sense of minimizing C (2l™j) subject to an equality constraint on the success 
probability) exhaustive-search type QuBaR attack (denoted by 2l£, t ) against ABSG, we have the following necessary conditions: 
(i) The corresponding guesses are prefix-free. 
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(ii) The corresponding "success events" {T (Gi) = l} i = 1 ° P are disjoint. 

(iii) We have 



Pr stlcc (af pt )=Pr(v£- t) [T(G,) = l])= £ Pr(T(G fe ) = l). (6) 
^ ' fc=i 

c(a E ) 

(iv) The corresponding "success events" {T (Gi) = l} i = 1 ° P satisfy 

(i>j) [Pr(T(G 4 ) = l)<Pr(T(G 3 ) = l)], 

for any i j, such that, i, j e {l, .. . ,C (2lf pt )}. 

Proof: See Appendix [V] ■ 

V. Optimum QuBaR Attacks Against ABSG (General Case) 

In this section, we consider the "general case QuBaR attacks", i.e., we relax the condition of being "exhaustive-search", 
which amounts to relaxing the condition of ik = 1 for {Gfe} in (0. Thus, the goal of the attacker is to guess the true values 
of Q\~ , subject to (0, for an arbitrary initial index i, equivalently (cf. Theorem 13. II ) the attacker's goal is to retrieve any 
(at least) L consecutive bits from the input sequence Xf r . Note that, this setup implies that exponential amount of output 
bits are available to the attacker for the cryptanalysis. As we will show in the sequel, via following this formulation, we 
can improve the time-complexity (and hence the overall algorithmic complexity) at the expense of an exponential increase 
in the data complexity (which does not affect the overall algorithmic complexity). Thus, the general case can be viewed as 
one extreme regarding the time-data tradeoff; the other extreme is the exhaustive-search type attacks covered in the previous 
section. 

Similar to the exhaustive-search case, we prove an achievability result first, namely Theorem 15.11 (which is simply the 
"most-probable choice attack" of [7], [15]), which implies the existence of a QuBaR attack of algorithmic complexity 2 L I 2 
under the assumptions mentioned in Section IIII-AI Next, we provide the converse theorem for the general case, which states 
that the best QuBaR attack's algorithmic complexity is lower bounded with 2 L I 2 ~ 1 under the assumptions Al, A2, A3, A4. 
Hence, we conclude that, to the first order in the exponent, the best QuBaR attack against ABSG is of complexity 2 L / 2 . 

We begin our development with the following definition. 

Definition 5.1: The set of "successful" QuBaR attacks is defined as 

S p = {21 = {G k } C W : Pr (vjg? [T(G k ] = 1]) > 1/2} . (7) 



We treat any 21 S S p as a successful QuBaR attack and derive an achievable (to the first order in the exponent) lower bound 
on the complexity of these attacks. 
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First, for the sake of completeness, we state the achievability result via providing an extended version of the proof regarding 
the complexity of the proposed "most probable choice attack" of [7], [15] using our notation. 

Theorem 5.1: [7], [15] (Achievability - General Case) Under the assumptions Al, A2, A3, A4, mentioned in Section ITlI-AI 
there exists a QuBaR attack algorithm % ac h,opt G S p against ABSG with C (% a ch,opt) — 2 L / 2 . Further, C ave (^ach, op t) = 
l (2 L / 2 + l) where C ave (2t a c/i,opt) is the expected complexity of %l a ch,opt over the probability distribution induced by q. 
Proof: See Appendix IVII ■ 

Remark 5.1: For the proposed attack %L a ch,opt, assuming that the generation of all of the guesses G (•) and the corresponding 
check algorithm T (G (•)) are poly (L), both the time and data complexity of the attack can be shown to be equal to 2 L / 2 to 
the first order in the exponent. 

Next, we state the converse theorem, which can be viewed as a fundamental result due to its negative nature as far as 
cryptanalysis concerned, to the best of our knowledge. 

Theorem 5.2: (Converse - General Case) Under the assumptions Al, A2, A3, A4, and for any 21 £ S p , we necessarily have 

Proof: See Appendix I VIII ■ 
Theorems 15.11 and 15.21 imply the following result: 

Corollary 5.1: Under the assumptions Al, A2, A3, A4, the tight (to the first order in the exponent) lower bound on 
algorithmic complexity of any QuBaR attack against ABSG is 2 L / 2 : 

C i^ach.opt) — C ave (^ach.opt) — Q-min' 



Remark 5.2: A practically useful consequence of Corollary 15.11 is as follows: In order to develop a successful "query- 
based-recovery" (QuBaR) attack (in the sense of being an element of S p ) of complexity less than O (2 L / 2 ) (say poly (L)), 
it is necessary to consider a construction where at least one of the assumptions Al, A2, A3, A4 is relaxed. Recalling these 
assumptions, it is advisable to concentrate on a setup where the assumptions Al and/or A3 do not apply; in practice, this 
may lead to using a deterministic approach [16], where explicit knowledge of the generating LFSR's feedback polynomial is 
utilized and the input sequence to ABSG, x, is an Af-sequencq^. 

VI. Conclusion 

In this paper, we introduce a novel approach to cryptanalysis. We aim to explore fundamental performance limits within 
a specified class of attacks of interest, targeted towards breaking a particular cryptosystem. As a first step, we illustrate our 

6 For further details on M -sequences, we refer the interested reader to [8]. 
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approach via considering the class of "Query-Based Key-Recovery" (QuBaR) attacks against ABSG, which is an LFSR- 
based stream cipher constructed via irregular decimation techniques. In order to achieve this task, we rely on the following 
assumptions (which are quite common in conventional cryptanalysis): The input sequence to ABSG is assumed to be an 
independent identically distributed Bernoulli process with probability 1/2; the attacker has access to the output sequence of 
ABSG; an explicit knowledge of the generating LFSR's feedback polynomial is not used; and the degree of the feedback 
polynomial (denoted by L) of the generating LFSR is sufficiently large. Using these assumptions, we show that breaking 
ABSG is equivalent to determine the exact realizations of a sequence of random variables, which are proven to be independent 
identically distributed with geometric distribution of parameter 1/2. Next, we investigate two setups of interest. In the first 
setup, we concentrate on the "Exhaustive-Search Type QuBaR" attacks (which form a subset of general-case QuBaR attacks, 
such that the starting index of all guesses in any element of this set is constrained to be equal to unity). Here, using notions 
from information theory (in particular asymptotic equipartition property [18]), we prove that the tight lower bound (to the first 
order in the exponent) on the algorithmic complexity of any successful Exhaustive-Search Type QuBaR attack is 2 2L / 3 . In the 
second setup, we concentrate on the general case QuBaR attacks and follow an analogous development to that of the former 
setup. In particular, we prove that the tight lower bound (to the first order in the exponent) on the algorithmic complexity 
of any successful QuBaR attack is 2 L / 2 . Our results can be viewed as a "negative advice" to the cryptanalyst (contrary to 
the conventional trend in cryptanalysis, where the general goal is to deduce a "negative design advice" to the cryptosystem 
designer) in terms of QuBaR attacks against ABSG under the aforementioned assumptions. 

Appendix I 
Proof of Lemma IITTI 

First, note that each output bit Z\ = z. t (for 1 < i < N) is produced by a block of input bits from the input sequence Xf 7 . 
In order to identify the i-th input block that generates Zi (for 1 < i < N), we define 

2-1 

M = l + ^[Q j + 2]=H i ^ l -H + l = H i - l + l, 

3=1 

i 

B{ = ^ [Qj + 2] — Hi — H = Hi, 

3 = 1 

where we used Hq = as the initial condition. Hence, we note that the input block X^* produces the i-th output bit Zi = Zi 
which is given per assumption A2. Further, from the definition of the algorithm B (see Definition 12. IK we have 

Pr(X Ai+1 = z i \Z i = z i ) = l. (1-1) 
Next, note that the statement of the lemma is equivalent to 

Pr (Qf = qf | Zf = zf) = J] (Qi = * I ^ = =U(\) ■ ^ 

i=l i=l > ' 

Thus, it is necessary and sufficient to show (ll-2b to prove Lemma [3T1 In order to show ( ll-21 i. we use proof by induction. 
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Step 1: We would like to show 

Pr(Q 1=(h |Zf =<) = gy i+1 . 
Since the value of Qx depends only on the first output bit, we have 

Pr(Q 1 = gi |Zf = zf) =P I (Q 1 = q 1 \Z 1 = z 1 ) 

Next, 



d-3) 



Pr(Qi = 0\Z 1 = z 1 ) = Pv(X 1 =z 1 ,X 2 = z 1 \Z 1 =z 1 ), (1-4) 
= Pr(X 1 = z 1 \Z 1 = z 1 ), (1-5) 

d-6) 



1 

2' 



where ( 11-41 ) follows from the definition of the mapping M.(-, •) (Table E), dl-51 l follows from ( II-ll i. dl-6l ) follows from 
assumption Al. Also, for gi > 0, 

Pr (Qx = qx \ Z x = z x ) = Pr {X x = z~i,X 2 = Zx, ■ ■ ■ , X qi+1 = zx,X qi+2 = z x \ Z\ = z x ) , (1-7) 



= Pr(Xx = zx,X 3 = zx,. ,X qi+1 = zx,X qi+ 2 = zx\Zx = zx) , (1-8) 

91+1 

d-9) 



where ( 11-71 ) follows from the definition of the mapping M. (•, ■) (Table ( 11-81 ) follows from ( 11-11 ). dl-9l ) follows from 
assumption Al. Combining dl-6b and dI-9) . we get dl-3b . 
Step 2: We assume that 

n—l n — 1 / i \ 9i + l 

Pr (Q™- 1 = qr 1 I Zf = zf ) = J] [Pr ( Ql = Qi | Zf = zf )] = JJ ( ± ) ■ (HO) 

i=\ i=l > ' 

Step 3: Given (II- 10b we want to show that 

Pr (Q» = qj | Zf = zf ) = [] [Pr (Q* = « | Zf = zf )] = J] ( 5 ) ■ ff-H) 

2=1 1=1 ^ ' 

Note that, given (II- 1 Oi l, dl- lib is equivalent to 

Pr (Q n = g n I QT 1 = qr 1 , Zf = zf ) = Pr (Q n = g„ | Zf = zf ) = QY" + , (1-12) 
using Bayes rule. Now, 

Pr (Qn = I QT 1 - qr \ Zf = zf ) = Pr (X Aft = z n , X An+1 = X Bn = z n | Q^" 1 = q? _1 , Z f = zf )(I-13) 

= Pr(X An =^„|Qr 1 =qr 1 5 Zf = zf ) , (1-14) 

= Pr(X4„ =z„|Zf =zf) =Pr(Q„ = 0|Zf - zf ) , (1-15) 

= Pr (X An - z n \Z n = z n )= X - (1-16) 
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where (11-131 ) follows from the definition of the mapping M(-, •) (Table [I]), ( II- 14b follows from ( 11-lb . (II- 1 5b and (II- 16b 
follow from assumption Al [j. On the other hand, for q n > 0, we have 



Pr (Qn 


= q n | Q"- 1 = qj" 1 , 


Zf = zf ) 
















= Pr(Xt r 




■ ■ ■ %B n -l 


— z n , Xs n 


Zn 


Q" 


1 = qT 


-\zf 




d-17) 


- Pr(* A „ 


= 2 n , Xa„+2 — z n , 


■ ■ ■ Xb^-i 


— z n , 1b„ 


= Z n 


Qi 


" = q?" 


-1 ryJV 


= zf), 


(1-18) 


= Pr(^A r 


= Zn, Xa„+2 = Z n , 


■ ■ ■ %B n -l 


— Zn, Xs n 


— %n 


zf 


= zf), 






d-19) 


- PrpOl„ 


= Z n , Xa„+2 — Z n , 


■ ■ ■ Xb k -i 


= Zn, Xb 71 


= z n 


Z n 


= Z n ) = 




+1 


(1-20) 



where (II- 17b follows from the definition of the mapping M{-,-) (Table Q), dl-18b follows from dTli ( |I-19t and (II-20b 
follow from assumption Al (see the discussion in the footnote). Combining (II- 1 5b . (IT 16b . (II- 19b . ( II-201 I. we get (II- 12b . 
and equivalently (II- lib , which completes the proof. 

□ 

Appendix II 
Proof of Theorem I3.1I 

The equivalence of the first and second problems is shown in [15]. In order to prove the theorem, we proceed with proving 
the equivalence of the second and third problems. 

First, we show that the third problem reduces to the second problem in poly (L) time: Since we know zf and Q^ +l_1 per 
assumption, we construct L consecutive bits of via using Definition 12.11 in the following way. We are given Q* +ei_1 = 
q s - +0 1 sucn tnat © holds. Then, we apply the following algorithm: 

1) For each j = i, i + 1, . . . , 8 + i — 1 do: 

a) If qj — 0, generate Bj = {zj, Zj}. 

b) If qj > 0, generate Bj — {zj,z^ 3 ,Zj} 

2) Concatenate {Bj}.^ 1 thereby forming the desired X = x sequence. 

Note that, the condition (O ensures that the resulting X = x sequence {Bi, Bi + i, . . . , Bg + .^i} is of length at least L. 
Furthermore, from the definition of the ABSG algorithm, the resulting X = x sequence is unique and necessarily the correct 
one. Obviously, this algorithm runs in poly (L) time, which completes the proof for this case. 

Next, we proceed with showing that the second problem can be reduced to the third problem via an algorithm in probabilistic 
polynomial time. First, note the following Lemma. 

7 Since X is an i.i.d. Bernoulli 1/2 process, the value of Pr {Xa„ = | Z n = Zn) is independent of the particular value of A n and that is why it is 
equal to 1/2. 
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Lemma II-l: Under the assumptions Al, A2, A3, and A4, for any n S Z + , we have 



Pr 



poly(L) v , 



<e, 



for any e > for L sufficiently large. 

Proof: First, under the given assumptions, we note the following fundamental results from [16]: 
« For any n G Z + , 

Pr (Y n = 2 



I 2/ l\ n 
3 + 3 l~2, 



{Y n } form a Markovian process with memory- 1: 



Pr fcivr 1 = y'i = Pr(r„|r„-i = y n -i) ■ 



for any n 6 Z + . 
• For any n G Z + , 

Hence, for any e > we have 



Pr h poiy(L) v , 



Pr (Y„ ^ 0|y n _! ^ 0) = -. 



po!j/(L) 

= Pr(y„^0)- [] Pr(r„ +i ^0|A^ 1 o y n+fe ^0), 

= Pr(y„^0)- I] Pr(F„+i^0|y„+i-i^0), 

poiy(Z,)-l 



2 2/1 
3^3 V 2 



e 



(II-l) 



(n-2) 



(H-3) 



(II-4) 



(H-5) 
(II-6) 

(n-7) 

(II-8) 



where dll-5b follows from Bayes rule, dll-6b follows from dll-3l) . (111-71 ) follows from dll-2b and dll-4b . dll-8l ) follows from the 
fact that the first term in dll-71 i is constant in L and the second term is exponentially decaying in L whence e can be made 
arbitrarily small for sufficiently large L. ■ 
Now, since Y n G {0,1,0} (i.e., there are constant possibilities for Y n ), w.l.o.g. we assume that Y n is known. Since we 
are also given X^t x for some n G Z + , this also means we know Y™ +i (via successively applying M (F„ + ;_i, X n+ i) for 
I = 1, 2, . . . , L). Next, consider the following situations: 
1) Y n = Y n+L = : 

In this case, w.l.o.g. we choose hi-i — n for some i. Next, let K denote the number of 0's within the sequence Y" +L 
(which is necessarily > 2 per assumption) and assign 9 = K — 1. Next, let hi+j-2 denote the index of the j-th 
within the sequence Y" +L , where l<j<K = 8 + l (implying h i+ K-2 = h i+ o-i = n + L). Accordingly, assign 
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<7j = hj — hj-i — 2 for all j £ {i, i + 1, . . . , i + 9 — 1}. Note that, all these {hj} (equivalently {qj}) are known since 

Y™ +i is known. Consequently, this means we have identified QJ — 1 = such that 

0+i-l 9+i-l 

Y (gj + 2) = (/ij - = he+i-i - hi = L, 

satisfying the constraint ©. Further, note that the operations performed within this procedure constitute an algorithm, 
which is in deterministic polynomial time (implying it is also in probabilistic polynomial time). 

2) Y n = and Y n+L £ : 

In this case, since Y n +t ^ 0, we aim to identify some Y n +L+L' = for V > with high probability in polynomial 
time. To achieve this task, we consider the sequence {Y n +L+k} for k > 0. Now, note that as we increment k, after 
poly (L) steps we necessarily need to come across a with high probability (the probability of not coming across a 
is exponentially small in L per Lemma III- lb . Thus, we have Y n — Y n +L/i = where L" = L + L' > L. Next, 
applying algorithmic steps analogous to the ones in Situation 1 (i.e., beginning from Y n = Y n+ L>i = 0), we identify 
Q*+ 9 - 1 = ^+ - 1 such that 

+ i-l 0+i-l 

(«j + 2)= {hj - hj-i) = h e+i -i - h = L" > L, 

j=i j=i 

satisfying the constraint Further, note that the operations performed within this procedure constitute an algorithm, 
which is in probabilistic polynomial time. 

3) Yn f and Y n+L = : 

Our overall goal is to identify (via using an algorithm, which is in probabilistic polynomial time) Y n+ L = F„+l'" = 
such that U" — L > L. In that case, we would be able to apply algorithmic steps analogous to the ones in Situation 1 
(i.e., beginning from Y n+ L = Y n+ L>» = 0) and identify Q!- +e,_1 = q^ ^ 1 such that 

0+i-l 0+i-l 

Y fe + 2)= (hj - hj-t) = he+i-x - hi = L'" - L > L, 

j=i j=i 

satisfying the constraint ©. Next, we show that, beginning from Y n+ L, we are able to find some Y n+ Lin = such that 
V" > 2L via a probabilistic polynomial time algorithm. To see this, first consider the sequence {Y n+ L + k} for k > (as 
we did in Situation 2). Following Lemma Hi- 1 1 and using similar arguments to Situation 2, we see that as we increment 
k by poly (L), we necessarily come across a with high probability. Next, we apply this step L/2 times; at each step, 
we increment k by poly (L) and at each step, we see a with probability 1 — e where e is exponentially small in L per 
Lemma Hi- 1 1 Thus, as a result of incrementing k by a total of ~ • poly (L) (which is again poly (£)), we observe L/2 
0's with sufficiently high probability, which makes this procedure an algorithm in probabilistic polynomial time. On the 
other hand, observing L/2 0's guarantee us to identify some L'" such that L'" > 2L since the gap between two 0's is 
at least 2 due to the definition of the ABSG algorithm. As a result, we see that we can identify Y n+ L'n = such that 
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L'" — L > L via an algorithm which is in probabilistic polynomial time, which was our initial goal. 

4) Y n f and Y n+L f : 

This is straightforward via applying an approach analogous to the Situation 3 above. Again, we begin from Y h +l, consider 
the sequence Y n+ L +k for k > 0, increment k in blocks of length poly (L); the only difference is that this time we use 
4 + 1 blocks (each of which is poly (L)) instead of -j. As a result, we are guaranteed to identify Y n+ L m , = Y n+ L""' = 
such that L'"" — L"" > L via an algorithm which is in probabilistic polynomial time; the rest is obvious. 
Thus, the proof of the (probabilistic polynomial time) reduction of the second problem to the third one is completed. Hence 
the proof of Theorem 13.11 □ 



Appendix III 
Proof of TheoremI4.1I 



9 k +i k -l 

1 ik 



For the sake of clarity, throughout this section we use the notation G k (i k ,9 k , 
to denote a particular guess G k . 

Choosing n = L/3, first we define the typical set with respect to p (q) (given by ([1)): 



(instead of G k Uk,6kM 



q? 



--logp(qJ)-H(Q) 



(III-l) 



where (using logarithm with base-2) 



q=0 



At this point, we also recall two fundamental results regarding typical sets [19]: 



(1 _ e ) 2 n( - H( - QS> ~ f - s> < 
Pr 



< 2 n(H(Q)+e) 



(q? £ A<s 



> 1-e 



(m-2) 

(III-3) 



.4, 



(») 



|. Let qt_k denote the 



for any e > 0, for sufficiently large n. 

Next, we propose the following construction for the attack 2lf c/l opt : 

1. Index all q™ £ A^ and accordingly let (q") fc denote the fc-th element where k £ |l,2, . 
i-th element of (q™ ) k for i £ {1,2, ... , n}. 

2. At each fc-th step of the QuBaR attack, choose G k = (i k = l,9 k = n = j, (q" ) fc ); fc £ |l, 2, . . . , A^ X. 

Note that, this attack qualifies as a "QuBaR attack against ABSG" only if all of the aforementioned guesses satisfy the 
constraint (J2j> . To see that this is satisfied for arbitrarily small e, we observe (noting that [3 k = Y^h=i 



--logp((q?) fc )-H(Q) 



< e 



(III-4) 
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where the equality follows from ([T), the definition of and using 9k = n, the inequality follows from ( IIII-U . Furthermore, 
using Ok = n = L/3, after straightforward algebra (1III-41 > can be shown to be equivalent to 



Hl- e - 
3 



< 29k + fa < L (l + |) . 



Since we can choose e arbitrarily small, the aforementioned attack qualifies as a QuBaR attack against ABSG as e — > 0. 

Next, d!II-3b implies that for large n (equivalently for large L) Pr sticc (%i E ch op ^j — Pr ^q" € A^J can be made arbitrarily 
close to 1 since we can choose e arbitrarily small. Thus, Pr slicc (%l E ch optj 1 as L — > oo and e — > 0. Furthermore, for large L 



the algorithmic complexity is at most 



A (n) 



which can be made arbitrarily close to 2 2L / 3 per ( 1III-2I ) since n — L/3, H (Q) = 2 
and we can choose e arbitrarily small. Thus, the algorithmic complexity is at most 2 2i / 3 as L — » oo, e — > 0. Recalling that 
for sufficiently small e, all elements of are equiprobable (since G N, 9k G Z + ) with probability 2~( 6 ' fc+ ^ fc ) | fl _^_ L iy 
we immediately see that the expected algorithmic complexity is | (2 2L / 3 + l). Note that in the proposed attack, if- = 1 and 
#fc = n = L/3 for all fe which implies that the corresponding data complexity is L/3. □ 

Appendix IV 
Proof of Theorem SHI 



First of all, since L is sufficiently large (per assumption A4), we assume w.l.o.g. L is divisible by 6. Our fundamental goal 
is to characterize the algorithmic complexity of the optimal attacks subject to a lower bound on the success probability of the 
attack. Thus, we aim to analytically identify 

af pt =arg a mm E C(2t £ ), (IV- 1) 

where 

S E ± : 2l £ £ S E and Pr (v^f } [T (G fc ) - 1]) > ^} C <S B , 

i.e., 5if is a "probabilistically-constrained" subset of S E for which the success probability is strictly bounded away from 1/2. 
In our terminology, we denote the quantity of Pr fvj^?^ P~ (Gk) — 1]) as the success probability of algorithm 21. Our problem 
is to characterize 

C E -C(2l B "I 

^mm ^ V opt) > 



in particular, we aim to achieve this goal via quantifying a lower bound on it. 

Our proof approach can be summarized as follows: Since it is not a straightforward task to solve the optimization problem 
(IIV-U . we proceed with a simpler problem. We define a set S E , such that S E C 5^ C 6> B , and accordingly proceed with 
minimizing C (2t B ) over all % E G 5". The set 5~ is defined in such a way that minimizing C over this set (i.e., over 

all 2l £ G S E ) is tractable. At the last step, we conclude the proof via deriving a lower bound on the minimum algorithmic 
complexity over S E , which also forms a lower bound on Cf nin since S E C S E . 
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We proceed with defining the set 

c(a B ) 



5f = I a B 



2l £ G<S B and £ Pr (T (G fc ) = 1) > ~ 



fc=i 

In our terminology, we denote the quantity of YlkSi Pr (Ga ) = 1) as the cumulative success probability of algorithm 21. 
Note that, success probability is always upper-bounded by cumulative success probability for any algorithm 21; i.e., we have 

C(«) 

Pr(v^ [T(G k ) = !])<£ Pr ( r ( G fe) = 1) 

fc=i 

due to the union bound, which implies C 5^ C 6> B . Next, we define the optimization problem (which is "alternate" to 

dEB) 

2^ = arg min C (2l B ) , (IV-2) 

and accordingly 

c E - c (ql b \ 

^min ~ u [""opt I ■ 

In order to quantify the solution of (|IV-2| i, for the sake of convenience we define 

G(9,a) = jq? : Vi, % > 0, G Z+, a G N, = /3 = L - 29 + aj (IV-3) 

for any given 9 G Z + and aeN. Observe that {Q (9, a)} are clearly disjoint for different pairs of {(9, a)}. Further, note that, 
by construction, G Q (9, a) for some 9 G Z + , q£N implies (O since 2# + /3 = L + a>L; thus, any guess G = (1,9, q?) 
where £ 5 (0, a) for some 9 £ Z + , a G N is a valid ABSG-guess. Furthermore, any valid guess G necessarily corresponds 
to a q^ G Q (9, a) for some unique pair (8, a). Next, using (01 observe that 

p(q{) = =2 -(L- 9+Q ) j (IV . 4) 

V ' /3=L-28+a 

for any qf G 5 (0, a); i.e., given a pair (0, a), all elements of Q (9, a) are equally likely with probability 2~( L ~ e +"). 

Going back to (1IV-21 I. since we are trying to achieve a cumulative success probability strictly greater than 1/2 using elements 
from disjoint sets {Q(9,a)}, the optimal strategy is clearly to use the sorted elements q^ G Q (9, a) with respect to their 

1 1. Thus, alg 



success probabilities, specified in (IIV-4t |5 Thus, algorithmically the optimal solution consists of trying the guess with largest 
marginal success probability first, and then the most probable guess in the remaining ones, and so on. 

Next, we aim to characterize the aforementioned sorting process and analyze the minimum number of elements needed to 
achieve a cumulative success probability strictly greater than 1/2. Since all elements of Q (9, a) are equally likely (cf. (1IV-41 >). 
the problem of sorting individual sequences reduces to the problem of sorting the sets {Q (9, a)} in non-increasing order with 

8 This problem is trivially equivalent to the problem of obtaining a pre-specified amount of cake with minimum number of slices, where the slice sizes are 
fixed, but not necessarily uniform. 
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respect to dIV-4-b . The total number of elements in these sorted sets of {Q (9, a)} such that the total probability exceeds 1/2 
amounts to the sought result Cf nin . As a result, we should solve the following sorting problem: 

Sorting Problem I: Sort over (6, a), with respect to the cost function L — 9 + a, in non-decreasing order, such that 

{6, a) &S e ,f= {(0,a) : 9 G Z+ a e N, (3 = L - 29 + a > 0} . (IV-5) 

Since this sorting needs to be done over (9, a), our next task is to characterize the feasible set Se.f over which the sorting 
will be carried out. 

First of all, notice that from the definition of Q (9, a) (cf. dIV-3l l), we have 

29 - a < L, (IV-6) 

since (3~L — 29 + a>0. Next, we define 

B = L - 9 + a, (IV-7) 

as our cost function in the aforementioned Sorting Problem I. Note that, for any q € Q (9, a), Pr (Q = q) = 2~( e+/3 ' = 2~ B ; 
i.e., for any guess G (i, 9, q), its success probability is equal to 2~ B where B is computed via ( IIV-71 ) using the corresponding 
9 and a. This means that, for any given guess G(-), its marginal success probability, Pr (T (G) = 1) is directly determined 
by the corresponding value of B. 

Next, our goal is to find an alternate re-parameterized expression for ( IIV-5b in terms of B and L since B is our cost function 
in Sorting Problem I. Now, using ( IIV-71 ) in dIV-61 ) and noting that aeN yields 

ae{0,l,...,2B-L}. (IV-8) 

which also implies that B > L/2 since a > 0. As a side result, this accordingly implies the following upper bound on the 
marginal success probability of any valid guess: 

Pr [T (G (i, 9, q)) = 1] = ^ B \ B=0+[j < 2 _i/2 for any G(i,0,q) e5(9,a) for some aeN. (IV-9) 

The result ( 1IV-9I ) will be useful in proving Theorem 15.21 of Section [V] 

Next, per flIV-71 ), each value of a uniquely determines 9 in terms of B via 

9 = L-B + a. (IV-10) 

Using drV-IOl in dTV-81 we have 

9e{L-B,L-B + l,...,B}, (IV-11) 
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which also implies that B < L — 1 since 6 > 1. Combining these observations, we find out the following equivalent expression 
to ( HV31 >: 

L-l 

(8, a) e S B , F = (J {(L - B, 0) , (L - B + 1, 1) , (L - B + 2, 2) , . . . , (B - 1, 2B - L - 1) , (B, 2B - L)} , (IV-12) 

where we effectively did a re-parameterization using P. Note that, this re-parameterization allows us to see that, given a fixed 
B, all {G(9,a)} such that 

(0, a) e {(L - 5, 0) , (L - P + 1, 1) , (L - B + 2, 2) , . . . , (B - 1, 2B - L - 1) , (B, 2B - L)} , 

are equivalent to each other in terms of their success probabilities, 2~ B . Using this observation and ( IIV-121 >. we conclude that 
Sorting Problem I is equivalent to to the following one: 

Sorting Problem II: Sort over (B, a) with respect to B in non-decreasing order, such that 

(B, a) e {(B, a) : a £ {0, 1, ... , 2B — L}, B G {L/2, . . . , L - 1}} . (IV-13) 

Note that, the corresponding values of 8 in (IIV- 13b are given by ( IIV- 10b . 
Following is one of the solutions to Sorting Problem II: 

{(B, a)} = {(L/2, 0) , (L/2 + 1,0), (L/2 + 1,1), (L/2 + 1,2), (L/2 + 2, 0) ...,(£- 1, L - 2)} . (IV-14) 

Note that all solutions to Sorting Problem II are equivalent to each other in terms of the resulting complexity. In particular, 
for a given B, we follow the strategy of varying a in increasing order, beginning from 0, ending in 2B — L as illustrated in 
(ITV-I4t . 

Next, we concentrate on the range of L/2 < B < 2L/3 and analyze the corresponding cumulative success probability 
(denoted by Pi) of the aforementioned strategy (cf. (IIV- 14b ). i.e., 

2 T-l2B-L 

P i= E E Pr (e(^)l e= L-B + J- (IV-15) 

Next, we derive an upper bound on Pi which will be used in the subsequent computations. 

Lemma TV-1: The cumulative success probability in the range of L/2 < B < 2L/3 (i.e., Pi) is upper-bounded by 

P< E E Pr@(0,a)). ( IV " 16 ) 

S = i + 1 a=0 



Proof: From ( IIV- 151 ), we see that Pi is defined in the (B, a) space (where B = L — 8 + a), over the set 

A= i(B,a) : - < B <^- - 1, < a < 2B - l\ , (IV-17) 
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i.e., Pi — Y1(b a)eA P f (Qi a ))\e=L-B+a- Next, we proceed with defining a set A. The purpose of using this set is to 
transform the summation indexes to corresponding (8, a) for each (B, a) G A. Now we show that A is a superset of A. This 
is done in four steps. 
1) First, recall that 

a > 0. (IV- 18) 



2) Second, observe that 



2L 

B < 1 

" 3 



L - 



2L 

a< 1 

~ 3 



L 



a<6 1 

3 



3) Third, note that fl!V-19t is equivalent to 



Using dIV-T8l in ( HV-20i > implies 



>-+a+l 



L 

^3 +1 



4) Fourth, using B < ^ - 1 in a < 2B - L (cf. dIV-17) ) implies 



Also, using ( lIV-7t we have 



L „ 

a < 2. 

~ 3 



[a < 2B - L = L - 20 + 2a] 



9 < 



L a 



Using ( HV^22i > in dIV^23l yields 



2L 



Now, defining 



A = I (B, a) : - + K6 <— - 1, 0<a<6---l, where B = L — < 
1 v , ; 3 - -3 ' - - 3 



(IV- 19) 



(IV-20) 



(IV-21) 



(IV-22) 



(IV-23) 



(IV-24) 



and using HIV- 18b . fiV-19t . ( IIV-211 ), ( IIV-24b . we conclude that A C A, which implies fiV-16t , ■ 

Next, we proceed with providing an upper bound on the right hand side of ( IIV-I6I 1. which will be shown to be O 
i.e., diminishing in L, the length of the generator polynomial of the LFSRQ In order to achieve this task, we heavily use the 
concept of "typical set" (cf. (IHI-lb ). Note that, using (lIV-41 i and H(Q) = 2, (IHI-lb can be shown to be equivalent to 



(IV-25) 



9 This result, in turn, implies that an optimal QuBaR attack which uses the solution to the Sorting Problem II for 9 > L/3 has a negligible cumulative 
success probability, i.e., negligible success probability. 
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In the following lemma, we show that all guesses {Q (9, a)} included in the summation of the right hand side of flIV-16t are 
necessarily "atypical" (i.e., belong to the complement of the corresponding typical set). 

Lemma TV-2: For any 9 6 Z+, such that 9 > L/3, and for all a e N, such that < a < 6 - f , we have Q (6, a) C [A^]^ 
for all e S (0, |), where [Ae 6 *- 1 ]^ denotes the complement of the typical set Ae . 
Proof: First of all, note that (cf. dIV-3t ), we have 

~/3 ( L 



Hence, for any qf e Q(9, a) such that 9 > L/3 and O<a<0--|,we have 



-ilogp(q?)-H(Q) = ^-2, 



L-6> + a £ + Q _ 

2L 

2L 6 
< - 2 = < 0, 



(IV-26) 

(IV-27) 
(IV-28) 
(IV-29) 
(IV-30) 



L + 3 L + 3 

where dTV-271) follows from the fact that p (q?) = 2-( 0+/3 > and if (Q) = 2, (lTV-28t follows using dTV-26ll in dTV-271 ( HV-29t 



follows since a<9- L/3, ( 1IV-30I ) follows since 6> > § + 1. Note that ( |IV-30t implies 



■logpfq?) -F(Q) 



> 



L + 3 



(IV-31) 



Now, since 9 > j + 1 (equivalently | < jt^), we have e < for all e G (0, |). Using this in dIV-311 >. the claim follows. 



Next, we provide an upper bound on the right hand side of ( 1IV-161 > using Lemma |IV-2I For all eg G (0, |), we have 

2 L ^ q L_ 2L 

£ £ Pr(0(*,a)) < £ Pr([<] (c) ), (IV-32) 



21, _i 
3 1 

< E e *> 



max eg 

i<e<^-i 



(IV-33) 



(IV-34) 



3 T-*- — 1 '— 3 



where (IIV-32b follows from Lemma HV-21 and the fact that, for any given 9, {Q (9, a)} are disjoint by construction, ( IIV-331 ) 
follows from ( IIII-3I ). Now, choosing eg — J? for all 9, and using (1IV-341 I in (IIV- 16b . we have 



n lf-i 



max 



1 \ L/3 - 1 3 
1 - < 



^+i<g<^-i9 2 J (i/3+1) 2 L 
Thus, for any 6\ > 0, there exists a sufficiently large L (per assumption A4), where 



(IV-35) 



Pi < S v 



(IV-36) 
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Note that, for the optimal strategy, which uses the ordering mentioned in ( II V- 141 ), flIV-351 ) and ( 1IV-36I ) imply that the range 
of ^ < B < ^ — lis not sufficient to achieve every given cumulative success probability strictly greater than 1/2, since <5i 
can be made arbitrarily small. Therefore, we necessarily need to include guesses with B = 2L/3 in the optimal structure to 
achieve a cumulative success probability strictly greater than 1/2. 

Next, we proceed with quantifying the contribution to the cumulative success probability for the case of B = 2L/3. In this 
case, for the optimal strategy, since 9 = L — B + a and < a < 2B — L for a given value of B, the corresponding (9, a) 
pairs are of the form {(j + a, a) } 0<Q<i / 3 - Thus, for the case of B = 2L/3, the total contribution to the cumulative success 
probability is given by 

L/3 

Pr (Q(L/3, 0)) + Pr (£( L / 3 + a > «)) • ( IV " 3? ) 

Note that, the right hand side of dIV-371 ) is "atypical" per Lemma HV-21 accordingly, we will show that the only significant 
contribution to the cumulative success probability is due to the left hand side of ( IIV-371 ) since it includes terms within the 
corresponding typical set. 

Next, we provide an upper bound on the right hand side of drV-371 >. Defining Pi = Sa=iP r (^(^ + Q i a ))' f° r a ^ 
£0 € (0, |), we have 

2L/3 

P2 = ]T Pr (0(6,9 -L/3)), (IV-38) 

2L/3 

< E p r([<] C )' (IV-39) 
0=1+1 

< ( |) ( max e g ) , (IV-40) 

\3/ \L/3+l<6><2L/3 / 

where dIV-381 > follows from using 9= (L - B + a)\ B=2L/3 , (|IV-39I > follows from Lemma HV-2l dIV-401 > follows using (IITL31 . 
Choosing eg = for all 9 in ( 1IV-401 ), we have 



L/3 

(L/3+lf ' L 



P2 < - J ^ 2 < - (IV-41) 



Thus, for any 62 > 0, there exists a sufficiently large L (per assumption A4), where 

P2 < 6 2 . (IV-42) 

Since 81 (resp. £2) in (IIV-36b (resp. (lIV-421 i) can be made arbitrarily small, we necessarily need to use guesses from the set 
Q (-§,0) in order to achieve a cumulative success probability strictly greater than 1/2. 
Next, consider the case of (9, a) = (-§,0): Note that, for any qf^ 3 € Q (f-jO), we have 



>(qf /3 ) =2-( 2L / 3 ). (IV-43) 
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Per dIV-251 >, dIV-431 ) implies that G(j,0) C A^^ 3 ^ for any e > 0. Furthermore, after some straightforward algebraic 
manipulations, it can be shown that, for < e < 4, we have A { c L/3) C Q (|,0); therefore we have 



(IV-44) 



In fact, (HV-441 1 constitutes the fundamental crux of the converse proof. This observation implies that, using sufficiently many 
guesses from the set Q (^,0) is both necessary (since S\ and 5% may be arbitrarily small) and sufficient (since for < e < 
we have Pr (Q (-§,0)) = Pr (^A^ L ^ 3 ^ > 1 — e) to achieve a cumulative success probability strictly greater than 1/2 for large 
L (per Assumption A4). 
Now, let 

Pi + P 2 + Pz > 1/2, (IV-45) 

denote the cumulative success probability of optimal attack in the set 5r, where P3 denotes the contribution to the cumulative 
success probability by the guesses from Q Using ( IIV-351 ) and ( II V-4 1 b in ( IIV-451 ), we have 

P 3 > \ - \- (IV-46) 

Next, let C denote the number of sequences used from the set Q (-j,0). Using dIV-431 ), we have 

C = P 3 /2- 2L/3 . (IV-47) 



Combining ( IIV-461 1 and ( 1IV-471 I yields 



C> > 2 2L ' 3 (\~- 



(s&) 



> 



22L/3 



since C (af pt ) > C. Next, using S E C S E yields 

C E - C (Vl E ) > C E - C ( 2t £ ) > 2 2L/3 

'"mm ~ ° y-^opt) — '"mm ~ ° ^opt J \ 2 L / ' 

where 2l^ t and 2l^ t have been defined in ( IIV-11 ) and ( |IV-8t , respectively. Hence, the claim finally follows. 



(IV-48) 
□ 



Appendix V 
Proof of TheoremI4.3I 



For the sake of clarity, we use the notation Gk (ik = 1, Ok, {^ul +lk J (instead of Gk (ik = 1, #fcj c l^ +tk 1 J) throughout 
the proof in this section. 

(i) First of all, note that letting 2t£, t = {Gfc}fc=i° denote the optimal exhaustive-search type QuBaR attack against 
ABSG with success probability Pr succ (2l^ t ), the claim is equivalent to the following statement: For any i ^ j;i,j £ 

10 Note that, w.l.o.g. we assume that, at step B = 2L/3, the proposed optimal attack uses guesses from the set Q ( £ , OJ in the end (i.e., after applying 
guesses from the sets |cj + a, a) | of which contributions to the cumulative success probability is denoted by P2). Since our strategy is to "lower- 



bound" the number of guesses from the set Q ^-^,0) and declare the resulting value as a lower bound on the overall complexity, C m i n , this approach 
maintains the validity of our result. 



28 



{1, . . . ,C (Slfpj)} (assuming 9j > Oi w.l.o.g.), we have (^1) / Suppose to the contrary, we have ^q^ 

(qi^ for some i G {1, . . . ,C (2t^ t )} where w.l.o.g. 9j > 9i. Given 2l^, t , we construct an exhaustive-search 

~ A ~ C(%l E } — 1 ~ 

type QuBaR attack 2l £ via eliminating Gj from 2lf pt , i.e., 2l B = {G k } k =i° v where G fe = G k for k G {1, . . . ,j - 1} 
and G k = G k +i for k G {j, . . . , C (2lf pt ) - 1}. Next, note that 

[{T(G j ) = l) => (T(G s: ) = l)] [Prfv^V (<?*) = !]) = Pr (v,^^ , Mj [T (G fe ) = 1] 

(V-l) 

If Gj is a correct guess, then all ^q^ 3 ^ are correct, which implies ^q^ J are necessarily correct as well since 9i < 6j . 
Further, this implies that (qi*^ are correct as well per the contradiction assumption. Hence, this proves the left hand 
side of ( IV- j} ; thus, the right hand side of ( IV- 11 1 is true as well. This, in turn, is equivalent to Pr succ (2l^, t ) = Pr sticc (2l £; ) 
which yields the promised contradiction (C {^ E ^j = C faopt) ~ 1) smce %o P t i s an optimal exhaustive-search type QuBaR 
attack for the given success probability Pr succ (2t£,t); hence the proof the first statement of Theorem 14.31 

(ii) Suppose not; then this means that there exists some i, j G {l, 2, . . . ,C (2l^ t )} , i ^ j, such that Pr [(T (Gj) = 1) n 
(T (Gj) — 1)] > 0. This implies that there is some realization q of Q with non-zero probability such that the events of 
(T (Gi) = 1) and (T (Gj) = 1) both occur at the same time. In other words, there exists some q with Pr (Q = q) > such 
that {vLi^j = Qi* an d (l?) = ■ However, this implies that yZi*^ is a prefix of {^li^j (assuming w.l.o.g. 9{ < 9j). 
Hence contradiction (per the first statement of Theorem 14.3b and the proof of the second statement of Theorem 14.31 

(iii) This statement is the direct consequence of the first and second statements of the theorem. 

(iv) First recall that, at optimality C (2lfp t ) is the smallest possible value (given the success probability Pr succ (2l^, t )). This 
observation and (|6]l clearly imply that the optimal strategy consists of "sorted" guesses (in descending order) with respect 
to the probabilities {Pr (T(Gfc) = 1)} of the corresponding success events {(T (Gk) = 1)} since the success probability 
Pr succ (Bf pt ) is fixed. 

□ 

Appendix VI 
Proof of Theorem 15. II 

The attack mentioned in the statement of the theorem is the "most probable case attack" given in [7], [15], which consists 
of simply "trying" a guess of the all zero sequence of {Qi} (of length L/2) for non-overlapping windows of output; here we 
assume w.l.o.g. that L is sufficiently large and even per assumption A4 of Sec. IIII-AI Formally, this attack can be defined as 
follows: 

%ach,opt = {Gk} C k { *r h,opt \ s -t- for each 8 uess °k = (h^k,^ 8 "' 1 ), i k = (k - 1)~ + 1, 9 k = |, p k = 0, 
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where we recall that, for each k, (3k — Y^Lq 1 Qik+j an< ^ the probability of Gfc's being correct is Pr [T (Gk) = 1] = 2 ( e ^+' 3 fc). 
Since (3k = and = ^ for each guess Gk of the proposed attack, we have, 

Pr[T(G fe ) = l] = 2- L / 2 , 1 < k < C (X ach , opt ) • (VI-1) 



Hence, we have 



Pr S ucc(%ach,o P t) = Pr (v^ ch '° pt) [T (G k ) = 1]) , 



= 1 - Pr (A C k ^r h '° Pt) (Gk) = 0]) , 
c(% ach , opt ) 

= 1- [] Pr[T(G fc ) = 0], (VI-2) 

k=l 

= 1 - ML - 2~ L/2 J , (VI-3) 

where ( IVI-21 ) follows from the fact that the events of {T (Gk) — 0} are independent (since they correspond to sequences of 

non-overlapping windows of {Qi}, which are i.i.d.) and (IVI-3b follows from (IVI-U . Now, recall that 

lim (1 ~x) 1/x = 1/e (VI-4) 

Next, choosing C ($L a ch,opt) — 2 L / 2 , for large L we have 

(2 L ' 2 ) 



lim Pr succ (2l oc h, opt ) = lim 

L — *oo L — ►oo 



1-1-2 



-L/2 



1 1 

= 1 -e > 2> 



which follows from (IVI-4t . This implies that %l a ch,opt & S p , where C (%- a ch,opi) = 2 L / 2 for sufficiently large L (per assumption 
A4). Furthermore, note that all guesses {Gk} of the proposed attack % a ch,opt are equally-likely to succeed (cf. (IVI-U ). which 
subsequently implies that C aV e (^-ach.opt) — \ (2 L / 2 + l). Hence the proof. □ 

Appendix VII 
Proof of Theorem 

Throughout the proof, we assume w.l.o.g. L is even, since it is sufficiently large per assumption A4. We first recall that we 
have 

VkeZ+, Pr(T(G fe ) = l) < I -J , (VH-1) 

due to ( HV-9b of Appendix |IV]Q 

Next, we proceed with a similar approach to the one pursued in the proof of Theorem 14.21 In particular, we begin with 
defining a set S p , which is a superset of S p , the set of successful QuBaR attacks (cf. ©): 

r cm } 

S p = I 21 = {G k }%% : £ Pr[T (G fe ) = 1] > 1/2 \ . (VII-2) 

"Note that, in Appendix IIVI we derived )IV-9t for exhaustive-search attacks, for which the starting index of the attack is set to unity (cf. jIV-3t ). However, 
after some straightforward algebra, it can be shown that, following IIV-3K all the subsequent derivations of Appendix IIVI regarding the "valid ranges of 
fundamental system parameters", 9, /3, a and B, (including the utilized result )IV-9l ) are still valid even if we relax the aforementioned condition on the 
starting index, which amounts to the general case attacks. Thus, flV-9l can be shown to hold in the case of general QuBaR attacks. 
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Using the union bound yields 

Pr (vjg> [T (G k ) = 1]) < E Pr ( T ^ = !) • 



21 G iS p 



fc=i 

Thus, we have 

[21 e 5 P ] =► 
which implies 

s p c 4. (vn-3) 

Further, for any 21 £ S p , we have 

c(a) c(sa) 
- < ]T Pr I r ( G fe) = 1] < E ( 1 /2) i/2 = 2- L / 2 C (21) , (VH-4) 

k=l fc=l 

where the first and the second inequalities follow from (IVII-2b and ( IVII-ll i. respectively. As a result, we have 

min C (21) > min C (21) > 2 L / 2 ~\ 
2ies p ' 2ie5 p 

where the first inequality follows from ( IVII-31 l and the second inequality follows from the fact that ( lVII-41 i holds for any 
21 € S p . Hence the proof. □ 
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